Mitiga at RSAC 2025: Visit our booth, attend speaking sessions, and schedule a meeting with us!

Customers
Why Mitiga
Request a DemoEmergency Assistance
Home
»
Blog Main

There is an accepted notion in some corners of cybersecurity that maintains “there is no peacetime.” For many of us, that is a daunting premise — as it discounts extensive CISO efforts to extend multi-year investments in cybersecurity tools, innovation, and resources to address ongoing cyberattacks focused on business services transitioned to cloud and SaaS platforms.  

In cloud- and SaaS-based Incident Response, however, there is an acknowledged “peacetime” that equates to the intervals occurring between real-world breach attempts and associated organizational investigations. So many IR vendors are front-and-center in assisting their organizational efforts to identify breach attempts and coordinate efficient investigative response activities, but their customers frequently question the value of their annual subscriptions with their contracted provider between firefights.

Organizations relying on large-scale cloud and SaaS investments should rightfully expect their IR vendor to provide a regular program of readiness activities that will assist security teams’ efforts to make their business better prepared to withstand the next cyberattack. In response to these customer expectations, here’s how IR vendors should respond.

Don’t delay forensic data acquisition and storage

Establishing IR peacetime value should actually begin during customer onboarding, with upfront cloud and SaaS log collection using established connectors into de facto sources like AWS, GCP, Azure, MongoDB, Snowflake, Okta, Salesforce, and Slack. Proactive forensic data acquisition reduces the risk, execution, and downtime associated with standard investigations by enabling cybersecurity teams to commence IR activities immediately after the breach is identified, leveraging securely stored, easily queried forensic data.  

Don’t forget — the longer the data storage provided by the vendor, 1,000 days for example, the more successful your future incident response activities.

Establish a shared-responsibility model during onboarding

In addition to proactive data collection, look for IR solutions focused on establishing a shared-responsibility partnership that enables your organization to maximize your vendor’s IR personnel, technology, data, and recommended practices. This model helps organizations minimize critical incidents and quickly return to business as usual. Relying on the continuity of known IR vendor contacts across both investigations and peacetime activities resolves questions about associated third-party staffing availability and delays that can impede both incident response and building cyber resilience.

Expect incident response readiness programs to enhance organizational cyber resilience

Lessons-learned from recent, successful IR investigations are great – but why should they be limited to in-house activities? IR vendors should apply real-world cloud and SaaS threat analysis activities found “in the wild” or another account across the entire customer base, including yours. Proactive threat hunts dedicated to your organization’s environment should be provided on a regular cadence, quarterly, for example.

In complementing this focus on proactive threats, your organization’s IR resilience should involve vendor-provided Breach and Readiness Assessment programs that identify gaps and provide recommended-practices guidelines on how best to close them.

Leverage vendor automation to improve your cloud and SaaS IR investigation efficiencies

Hands-on expertise in maximizing your forensic data in successful IR investigations is a strong contributor to minimizing disruptions. So, too, is IR automation that reduces the investigative response process.  

Derive more value from your stored forensic data

IR vendors should provide assistance in helping organizations overcome the challenging differences that exist in cloud/SaaS log collection versus an on-premises model by providing recommended-practices aligned with industry standards for forensic investigation, including logging formats, forensic gathering procedures, and default log retention. Customer demands for data lake access and management should apply to the cloud and SaaS forensic baseline, as well — ask IR vendors about their policies for providing direct customer access to collected logs.

LAST UPDATED:

January 23, 2025

Don't miss these stories:

Make Cloud Attacks Yesterday’s Problem with Mitiga at RSA Conference 2025

Visit Mitiga at booth number N-4618 at RSA Conference 2025 to learn about cloud detection and response.

Uncovering Hidden Threats: Hunting Non-Human Identities in GitHub

In the last few days, two compromised GitHub Actions are actively leaking credentials, and a large-scale OAuth phishing campaign is exploiting developer trust.

Can vulnerabilities in on-prem resources reach my cloud environment?

What risk does this Zoho password manager vulnerability present, and could this on-prem vulnerability impact cloud environments as well?

Log4Shell - identify vulnerable external-facing workloads in AWS

Cloud-based systems should be thoroughly searched for the new Log4j vulnerability (CVE-2021-44228). But this is a daunting task, since you need to search each and every compute instance, from the biggest EC2 instance to the smallest Lambda function. This is where Mitiga can help.

How Transit Gateway VPC Flow Logs Help Incident & Response Readiness

In this blog, we will focus on the security and forensic aspects of Transit Gateway VPC flow logs and expand the way they can be used by organizations to respond to cloud incidents.

Uber Cybersecurity Incident: Which Logs Do IR Teams Need to Focus On?

On September the 16th, Uber announced they experienced a major breach in their organization in which malicious actor was able to log in and take over multiple services and internal tools used at Uber. What are some of the logs that IR teams should be focusing on in their investigation?